In our recent middle-of-life masterclass session, Microsoft MVP Jasper Oosterveld (@jasoosterveld) covered processes you can implement to ensure your Teams environment remains organized, efficient, and secure.
As more and more organizations shift to distributed work, the use of Microsoft Teams—and the amount of teams and data in a tenant—has significantly increased. This means that monitoring and securing your Teams environment is more important than ever.
Team membership tends to change over time and external access to content can exceed the original business need, resulting in ownerless teams and potential security risks. IT departments that rolled out Teams without a clear deployment plan in place now face the challenge of finding a scalable way to maintain a clean and well-managed Microsoft 365 environment.
In the second session from ShareGate’s recent 3-part masterclass, Create a dream Teams: Mastering Microsoft Teams management across the entire lifecycle, I covered middle-of-life best practices that can help you maintain an organized, efficient, and secure Teams environment.
Missed the live masterclass? Watch Microsoft MVP Jasper Oosterveld’s 3-part masterclass on demand, and get actionable advice on how to manage your Microsoft teams across the entire lifecycle, from creation to sunset.
Create a dream Teams: Mastering Microsoft Teams management across the entire lifecycle
Review Microsoft team membership
Team membership tends to change over time as people move between departments and projects or leave an organization.
You want to be certain the right people have (or still need to have) access to a team and all its content, because the people who need to be in a team at the beginning of a project don’t always need to remain in the team later on.
That’s why having team owners is so important, because owners are accountable for each team.
So, what kinds of permissions do owners, members, and guests have? First, let’s look at the different permissions available in Microsoft Teams:
As you can see, an owner can edit and delete a team, add members, and promote another member to owner status, among other things. This is because owners are responsible for managing their team and ensuring the content within it is secured.
But team owners are busy and they don’t always monitor who has access to what in Teams, so sometimes IT admins have to step in.
You can review a team’s membership a few different ways:
- Within the Microsoft team itself
- Through the Microsoft Teams admin center
- Via Azure access reviews (note: this requires an Azure AD Premium P2 license)
- With ShareGate Apricot, ShareGate’s automated management platform for Microsoft Teams
Something to look out for when you’re reviewing team membership is making sure that all of the teams in your tenant have at least one owner. Sometimes the owner of a team leaves the company. If you don’t have a second owner—which I definitely recommend having whenever possible!—then you can end up with ownerless Microsoft teams.
Members of an ownerless team will still be able to use it, but if the team is private, no one within the team will be able to add or remove users without the help of IT. Additionally, not having an owner who can manage your team’s membership and be held accountable for security can cause risks for your business.
There are a few ways you can identify ownerless teams:
- Microsoft Teams admin center
- A third-party tool like ShareGate Apricot
ShareGate Apricot identifies ownerless teams for you allows you to easily promote a new owner in the interface. ShareGate Apricot will actually make recommendations as to who might be the best candidate for a new owner based on user activity.
What are my recommendations?
- Assign each team at least two owners! This helps guarantee accountability to the members of the team and the security of the content.
- Educate your owners on how to manage the membership of members and guests.
- Implement a periodic review of membership to find and fix any ownerless teams.
Review Microsoft Teams external sharing links
External sharing links are great when you’re collaborating on a project with a freelancer, consultant, etc., but external users typically only need access to shared content for the duration of a project or goal.
If you share a link with an external user and never look back, you open yourself up to security risks if the content in that link changes or the external user’s relationship with your organization shifts.
That’s why I recommend conducting external sharing reviews, to guarantee that people outside your organization only have the access they need.
There are two main ways to conduct external sharing reviews:
- Run a report on file and folder sharing links for each team’s SharePoint site.
- Schedule automatic external sharing reviews with ShareGate Apricot
Within SharePoint, if you go to “Site usage”, it gives you a little bit of insight into what type of content is shared with whom. But, it’s not the best way forward if you have a lot of sites, as you need to manually pull these reports for every site you have in your Microsoft 365 environment.
Once you’ve reviewed the external sharing links, you still need to determine if changes need to be made to a sharing link (or if access should be revoked), information that the team owner probably has a better handle on than an IT admin.
So, you’ll need to reach out to them and ask them to make any necessary changes. Then, you’ll have to manually log any changes for compliance and internal auditing purposes. All in all, it’s a time-consuming process.
We know this can be a pain. So, ShareGate Apricot lets you see all the links that have been shared externally when you’re in the app and you click on the team or group, when, and with whom. You can remove access yourself by deleting those links. But again, owners typically know best which links still need to be shared and which don’t.
That’s why you can schedule external sharing reviews with ShareGate Apricot. It’s a fully automated feature, so all you have to do is set a start date and the frequency at which you want links reviewed, and owners will be asked to review externally shared links and to validate or remove access.
You’ll be able to track the progress of each external sharing review in the app, and changes that team owners make will be logged automatically.
What’s my recommendation?
- Implement a periodic review of external sharing links to prevent unnecessary access to sensitive content in your teams.
Takeaways from part 2
- Periodically review membership and data access of all your teams! Do this to identify ownerless teams (and then assign new owners), as well as to ensure that only external users who actually need the information have access to your organization’s files and folders.
- Team owners are typically in the best position to know whether or not external links still need to be shared, so make sure to get their input during your periodic reviews.